Directing Microsoft Office 365 (O365) Login Traffic

DRAFT IN PROGRESS!

Background:
I’ve been working with a current customer to roll out Z-App, and migrate away from a PAC file using a Dedicated Proxy Port (DPP). In order to do this, we started with a clean default PAC file.

Their previous PAC file had many (but not all) of the O365 URLs completely bypassing Zscaler. They did this so that they bypass multi-factor authentication when users logged into O365 from a corporate location. Unfortunately, this also meant that they lost visibility to this traffic and they didn’t benefit from Zscaler’s technical relationship with Microsoft.

The customer was also having some authentication challenges, and the customer has now decided to leave Z-App enabled for on-premises and off-premises users.

First Use-Case:
Since the authentication process is the only time Microsoft applies conditional access policies related to source IP address, you don’t need to bypass Zscaler for all of the traffic. You only need to carve off the login traffic from Zscaler.

To do this, we added the below lines to the default PAC file, and applied it to an Z-App Profile.

if (localHostOrDomainIs(host, “[ANY_IDP_URL]”)) ||
(localHostOrDomainIs(host, “login.microsoft.com”")) ||
(localHostOrDomainIs(host, “login.microsoftonline.com”)) ||
(localHostOrDomainIs(host, “login.windows.net”)) ||
(localHostOrDomainIs(host, “login.office365.com”))
return “DIRECT”;

Doing the above will send only this traffic direct.

  • If the user is on-premises, the traffic will egress with the customer’s IP address. This IP address is whitelisted within the conditional access, and the user will not be prompted for MFA.
  • If the user is off-premises, the traffic will egress with the end user’s IP address… prompting for multi-factor authentication (MFA).

Another use case is if the customer also has ZPA, and they want to lock down their Office365 traffic to their corporate egress IP addresses.

The same concept above applies here. Except this time, we use ZPA to direct just the login traffic to one more more ZPA Connector Group.

To accomplish this, create an App Segment for the login URLs.

This will force just the login traffic over ZPA, and to reach the appropriate URLs from the customer’s egress IP addresses that have been whitelisted with Microsoft’s conditional access.

5 Likes

Kris,

For our ZIA customers, when would you recommend using Virtual Service Edge over this method for Source IP anchoring and Preservation?

Nice writeup!

Personally, I would just do this if O365 login is the only Source IP anchored application. They have to allow the traffic out to the internet directly, and have DNS resolution and routing.

If they had more Source IP anchored application, or if the traffic couldn’t be routed directly… I’d use Virtual Service Edges and/or ZPA.